Summary: As digital software supply chains explode, a wave of new third-party risks is introduced into some of the most sensitive ecosystems, including government and critical infrastructure. SBOMs are quickly gaining momentum as a primary way to expose weaknesses in the supply chain and decrease supply chain threats.

Since President Biden’s 2021 Executive Order made Software Bills of Materials mandatory for federal contractors, SBOMs have become an increasingly high agenda priority for security departments of all industries. With supply chain threats predicted to cost the world $60 billion annually by next year, they have become a bigger focus. So, how do SBOMs reduce third-party risks, and how can critical infrastructure sectors leverage them to their best advantage?

The Steady Growth of Supply Chain Threats

According to Gartner predictions, nearly half (45%) of the world will have experienced an attack on their software supply chain by 2025. This is three times the number affected in 2021.

Several factors account for the increase. Digital supply chain attacks give attackers a high ROI. Think of all the “free” damage done by Log4j; 40% of global networks were jeopardized from a single CVE. Additionally, hyper-distributed environments, remote work, and cloud migration have forced digital supply chains to become longer, more far-flung, and even more intricately connected. This adds to the “more bang for your buck” appeal, along with force-multiplying attack vectors, places to hide, and statistical chances for error.

With this in mind, cybercriminals are unleashing more venom into the digital supply chain than ever before, particularly in open-source ecosystems. One industry report notes that the number of malicious packets uploaded to public component registries has tripled in the past year. According to the same report, “This pace of growth is astonishing. It signals the role of the supply chain as one of the fastest-growing vectors for adversaries to execute malicious code. Furthermore, we have seen an increase in nation-state actors leveraging these vectors.”

That meteoric rise in third-party incidents has prompted a harder look at the security levers that could secure the supply chain, particularly SBOMs.

SBOMs: Defending from the Inside Out

While SBOMS are mandatory for any agency selling software to the federal government, they are a growing best practice that is becoming less of a “have to” and more of a “want to”. With the expansion of digital supply chains, SBOMs have now become an integral part of attack surface management.

Russell Jones, a partner with Deloitte & Touche LLP, U.S. Cyber and Strategic Risk Practice, explained why in an article in WIRED. Describing the problem, he states, “To understand the cyber risk present in software products throughout the supply chain, an organization needs visibility into the components that make up the software product. If a malware or ransomware attack occurs in an Internet of Things (IoT) device or commercial off-the-shelf (COTS) product, companies have a complex web of software vendors to investigate and identify vulnerabilities among a multitude of open source and third-party software components.” To counter that blinding web of software-origin complexity, “SBOMs are like ‘ingredient’ lists that can help security analysts (and adversaries just the same) more easily identify potentially impacted/vulnerable components” among so many.

SBOMs and Critical Infrastructure

Critical infrastructure sectors particularly stand to benefit from this degree of build-level transparency.

Healthcare has been leading the charge to standardize and utilize SBOMs to their fullest, resulting in safer IoT medical devices in the field. Now, device manufacturers are creating machine-readable SBOMs that provide useful information for vulnerability management and incident response to hospital-based I.T. teams.

Other sectors have just as much need for SBOMs, if not more. As much as 90% of products used by U.S. electric utilities contain components from China or Russia, which were three times more likely to contain critical vulnerabilities. Disconcertingly, Dark Reading reports that new research reveals that those vulnerabilities can “lie in wait” for up to three years. Not a comforting thought.

That’s why critical infrastructure needs to start making the transition. Admittedly, there is much legacy architecture within the O.T. of current CNI sectors. However, as Sounil Yu, CISO of JupiterOne, says, “Legacy software without an SBOM is like a can of food from the 1920s without an ingredient label. Consume at your own risk.”

That’s why new legislation makes SBOMs a must for government agencies. The U.S. Army is already considering proactive ways of using them to shore up their vast supply chain, stating in their recent RFI that SBOMs would “provide increased fidelity into the Army software supply chain to query components on-demand and target mitigations for high-risk software components” as well as “enhance the security of the Army’s software supply chain and enable proactive risk mitigation.”

Moving forward, the future is bright as third-party risk reduction increasingly becomes the rule, not the exception. Early adopters will find the doors to government contracts open to them, perhaps finding fewer compliant competitors than before.

Itegriti’s expertise lies in securing some of the nation’s largest critical infrastructure sectors and can help you (and your supply chain) stay compliant with current government regulations. Our Product Security Platform generates SBOMs in multiple formats to expose lurking visibilities in your software supply chain and clamp down on burgeoning third-party threats.

ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.

Contact Us: https://itegriti.com/contact/

ITEGRITI Services: https://itegriti.com